Vulnerability

This program allows us to build planes, which we can name, as well as build airports, which we can also name and list information about.
We can fly planes to different airports and also sell different planes and airports which frees them.
The planes are allocated on the heap and maintained in a doubly-linked list, the head of which, is a global in the .BSS.
Similarly, the airports are also allocated on the heap and a maintained in an global array of pointers.

There are many different vulnerabilities in this program.

Firstly, there is a out-of-bounds read vulnerability which allows us to leak a libc and heap pointer.

In the following diassembly, choice_ is an index that we get to specify that has no checks performed on it.

companies is a global array that contains 4 pointers, each pointing to a different string.
Eventually, we can print out the contents of whatever pointer is associated with the choice_ index into this array that we specify.
But as we can see, there is nothing preventing us from specifying an index greater than 4.

We can simply free a couple airports to get a libc pointer and heap pointer into some heap chunks, and then specify 14 and 15 as our indices for 2 planes that we fly to an airport.

Then we just list the information for all the planes in that airport to get our leaks

Additionally, there is a double-free vulnerability as well as a use-after-free (UAF) vulnerability.

We can use these vulnerabilities to perform a fast-bin attack.
However, instead of overwriting a *_hook functions, as I’ve done in the past, we will instead, overwrite a specialFree function pointer that is just a wrapper around free() that is called whenever a plane is directly sold.